从 Run a daemon (as root) on iOS 继续讨论:
snakeninny
snakeninny14-05-11
Originality: http://bbs.iosre.com/forum.php?mod=viewthread&tid=204&page=1&extra=#pid10961
Author: snakeninny
Please include the above name and link with repost, thank you.
Hello people!
A lot of you have been asking about the writing of a daemon on iOS recently, and Chris Alvares’ tutorial seems to be a little bit outdated. So today I’m gonna present you a simple guide of writing a daemon (and run it as root) on iOS, and this post will not only cover the process of composing a daemon, but the very basic theory contained in it. Our target today is a working daemon that reboots iOS when it receives a specified notification, “com.iosre.rootdaemon.reboot”. Have fun!
Part I Basic theory
- Daemon
What’s a daemon? According to wikipedia, a daemon “is a computer program that runs as a background process, rather than being under the direct control of an interactive user. Traditionally daemon names end with the letter d: for example, syslogd is the daemon that implements the system logging facility and sshd is a daemon that services incoming SSH connections.” You can name a few other daemons on iOS, say backboardd, mediaserverd, apsd, etc etc. Daemons are started by the first process on iOS, launchd, which is also a daemon, on boot time. What can a daemon do? It “serves the function of responding to network requests, hardware activity, or other programs by performing some task”. Note, daemons (running as root) can be soooooo powerful while staying low that even powerusers may not know the existence of a daemon, so some malwares are born as daemons. This post is for educational purposes only, you take the charge if you’re doing something risky.
Daemon ownership
Daemons are launched by launchd, via “launchctl” command plus their configuration files. On its man page, we should pay special attention to this sentence:“Note that per-user configuration files (LaunchAgents) must be owned by the user loading them. All system-wide daemons (LaunchDaemons) must be owned by root. Configuration files must not be group- or world-writable. These restrictions are in place for security reasons, as allowing writability to a launchd configuration file allows one to specify which executable will be launched.” Because daemons are loaded by launchd, which is owned by root:wheel,
FunMaker-5:~ root# ls -l /sbin/launchd
-r-xr-xr-x 1 root wheel 154736 Nov 8 2013 /sbin/launchd
so both a daemon and its config file must be owned by root too, it borns and runs as root. Take it in mind and we’ll get back to this later.
Part II Composing
As we have already stated in iOS App Reverse Engineering, daemons consists of 2 parts, an executable binary and a configuration plist file. So let’s make an executable binary with Theos now:
snakeninnys-MacBook:Code snakeninny$ /opt/theos/bin/nic.pl
NIC 2.0 - New Instance Creator[1.] iphone/application
[2.] iphone/cydget
[3.] iphone/framework
[4.] iphone/library
[5.] iphone/notification_center_widget
[6.] iphone/preference_bundle
[7.] iphone/sbsettingstoggle
[8.] iphone/tool
[9.] iphone/tweak
[10.] iphone/xpc_service
Choose a Template (required): 8
Project Name (required): rootdaemond
Package Name [com.yourcompany.rootdaemond]: com.iosre.rootdaemond
Author/Maintainer Name [snakeninny]: snakeninny
Instantiating iphone/tool in rootdaemond/…
Done.
And modify the content of main.mm
static void Reboot(CFNotificationCenterRef center, void *observer, CFStringRef name, const void *object, CFDictionaryRef userInfo)
{
NSLog(@“iOSRE: reboot”);
system(“reboot”);
}
int main(int argc, char **argv, char **envp)
{
NSLog(@“iOSRE: rootdaemond is launched!”);
CFNotificationCenterAddObserver(CFNotificationCenterGetDarwinNotifyCenter(), NULL, Reboot, CFSTR(“com.iosre.rootdaemon.reboot”), NULL, CFNotificationSuspensionBehaviorCoalesce);
CFRunLoopRun(); // keep it running in background
return 0;
}
This’s it. Now let’s turn to the config file, create a file with the name “com.iosre.rootdaemond.plist”, and fill it with the following contents:
<?xml version="1.0" encoding="UTF-8"?> KeepAlive Label com.iosre.rootdaemond Program /usr/bin/rootdaemond RunAtLoad Among those keys, Label "contains a unique string that identifies your daemon to launchd", Program contains the path of the executable, both of them are required. If you have arguments for the daemon, just add another key/value pair to the file like this:
ProgramArguments
arg1
arg2
more args…
After that we should put this config file under /Library/LaunchDaemons/, and we leave this job to “layout” folder, you definately know how if you are a careful reader. Our project looks like this: (2014.12.12 Edit: We should create an empty DEBIAN folder under layout)
Run “make package” and let’s check the owner of the deb:
snakeninnys-MacBook:rootdaemond snakeninny$ dpkg-deb -c /Users/snakeninny/Code/rootdaemond/com.iosre.rootdaemond_1.0-1_iphoneos-arm.deb
drwxr-xr-x snakeninny/staff 0 2014-05-11 15:52 ./
drwxr-xr-x snakeninny/staff 0 2014-05-11 14:45 ./Library/
drwxr-xr-x snakeninny/staff 0 2014-05-11 15:48 ./Library/LaunchDaemons/
-rwxr-xr-x snakeninny/staff 367 2014-05-11 15:37 ./Library/LaunchDaemons/com.iosre.rootdaemond.plist
drwxr-xr-x snakeninny/staff 0 2014-05-11 15:52 ./usr/
drwxr-xr-x snakeninny/staff 0 2014-05-11 15:52 ./usr/bin/
-rwxr-xr-x snakeninny/staff 197984 2014-05-11 15:52 ./usr/bin/rootdaemond
All files inside deb are owned by snakeninny:staff. Remember in the “Daemon ownership” part, daemons must be owned by root? So this daemon has wrong owner, which will lead to a load failure (you can try it out on your iOS).
You may wonde why? That’s because this deb is made on OSX, and the maker is snakeninny. To change its owner back to root:wheel, we need a tool called fauxsu by DHowett. Download a compiled version from here1, extract fauxsu and libfauxsu.dylib to $THEOS/bin/ and “chmod a+x” them. Make another package and check again (and also notice the edit at the end of this post):
snakeninnys-MacBook:rootdaemond snakeninny$ dpkg-deb -c /Users/snakeninny/Code/rootdaemond/com.iosre.rootdaemond_1.0-2_iphoneos-arm.deb
drwxr-xr-x root/wheel 0 2014-05-11 16:05 ./
drwxr-xr-x root/wheel 0 2014-05-11 14:45 ./Library/
drwxr-xr-x root/wheel 0 2014-05-11 15:48 ./Library/LaunchDaemons/
-rwxr-xr-x root/wheel 367 2014-05-11 15:37 ./Library/LaunchDaemons/com.iosre.rootdaemond.plist
drwxr-xr-x root/wheel 0 2014-05-11 16:05 ./usr/
drwxr-xr-x root/wheel 0 2014-05-11 16:05 ./usr/bin/
-rwxr-xr-x root/wheel 197984 2014-05-11 16:05 ./usr/bin/rootdaemond
Now the owner is correct. Run “make install” to setup this rootdaemond:
snakeninnys-MacBook:rootdaemond snakeninny$ make install
install.exec “cat > /tmp/_theos_install.deb; dpkg -i /tmp/_theos_install.deb && rm /tmp/_theos_install.deb” < “./com.iosre.rootdaemond_1.0-2_iphoneos-arm.deb”
Selecting previously deselected package com.iosre.rootdaemond.
(Reading database … 2589 files and directories currently installed.)
Unpacking com.iosre.rootdaemond (from /tmp/_theos_install.deb) …
Setting up com.iosre.rootdaemond (1.0-2) …
Again, the code can be downloaded here.
Part III Testing
Reboot to check if it’s launched on startup:
FunMaker-5:~ root# reboot
FunMaker-5:~ root# Connection to 192.168.1.101 closed by remote host.
Connection to 192.168.1.101 closed.
snakeninnys-MacBook:Code snakeninny$ ssh root@192.168.1.101
FunMaker-5:~ root# grep iOSRE /var/log/syslog
May 11 16:14:01 FunMaker-5 rootdaemond[20]: iOSRE: rootdaemond is launched!
FunMaker-5:~ root# ps -e | grep rootdaemond
20 ?? 0:00.13 /usr/bin/rootdaemond
370 ttys000 0:00.01 grep rootdaemond
FunMaker-5:~ root#
rootdaemond was started on boot, and it stays in the background. Finally, let’s check if it works as expected, with the following tester:
// compile: clang -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.0.sdk -o iOSRERootDaemonTester -arch armv7 /Users/snakeninny/main.mm
#include <notify.h>
int main(int argc, char **argv)
{
notify_post(“com.iosre.rootdaemon.reboot”);
return 0;
}
Scp iOSRERootDaemonTester to iOS, then run it:
snakeninnys-MacBook:~ snakeninny$ scp iOSRERootDaemonTester root@192.168.1.101:/var/tmp/
iOSRERootDaemonTester 100% 48KB 48.3KB/s 00:00
FunMaker-5:~ root# /var/tmp/iOSRERootDaemonTester
FunMaker-5:~ root# Connection to 192.168.1.101 closed by remote host.
Connection to 192.168.1.101 closed.
snakeninnys-MacBook:Code snakeninny$ ssh root@192.168.1.101
FunMaker-5:~ root# grep iOSRE /var/log/syslog
May 11 16:36:01 FunMaker-5 rootdaemond[20]: iOSRE: reboot
May 11 16:36:58 FunMaker-5 rootdaemond[20]: iOSRE: rootdaemond is launched!
FunMaker-5:~ root#
It works like a charm.
Part IV Conclusion
Actually daemons and agents on iOS/OSX are far more complicated than this post describes, and I strongly suggest you take a look at the references below. Again, daemons are powerful tools that can do both good and bad, you’d better know what you’re doing before you use them, and you should be really careful when you use them. Thanks for your time.
References:
- http://en.wikipedia.org/wiki/Daemon_(computing)
- https://www.chrisalvares.com/blog/7/creating-an-iphone-daemon-part-1/
- https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/launchctl.1.html
- Creating Launch Daemons and Agents
- https://developer.apple.com/library/mac/documentation/Darwin/Reference/Manpages/man5/launchd.plist.5.html
2014.5.22 Edit:
com.iosre.rootdaemond.plist should have permission 644, or this daemon MAY NOT get launched!
2014.10.16编辑:
翻译版请至这里2~
我想拓展这个示例,加入我想要的功能,写一个较复杂的守护进程。
但由于没有使用theos编写过tool,以及编程基础较薄弱,所以遇到一些问题没能解决。